Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Already using Google+? Find us on Google+ for the latest security news.
Apple has finally bitten the bullet and started offering two-factor authentication (2FA) for Apple ID users.
Good news!
If you have an Apple ID, you'll know that a lot is at stake if you lose control of your account.
That's because Apple IDs aren't just simple website logins, but make up the authenticational core of your entire digital relationship with Apple:
An Apple ID is the login you use for just about everything you do with Apple, including using iCloud to store your content, downloading apps from the App Store, and buying songs, movies, and TV shows from the iTunes Store.
The risk you're exposed to if a malcontent gets hold of the password for your Apple ID became globally obvious last year.
A neo-celebrity post-modern journalist named Mat Honan famously had his digital life owned and then laid waste by an internet ne'er-do-well who tricked Apple support staff into resetting Honan's Apple password.
As we reported about seven months ago, the person who attacked Honan's account wasn't happy just with breaching security at Apple.
The cracker also took the trouble of performing a remote wipe of Honan's iDevices, instantly turning the data on his iPhone, iPad and Macbook Air into digital shredded cabbage.
The crook was also able to take over Honan's Gmail account, his Twitter account and (through account linking) the Twitter account of Gizmodo, with whom Honan had a trusted journalistic relationship.
Protecting all of those assets with a single password that could be guessed, keylogged, stolen or simply changed by means of a social engineering phone call just wasn't enough.
A few months before Honan's digital wipeout, Apple introduced an additional layer of security for Apple IDs by pushing its users into adding a raft of answers to additional "security questions".
The theory behind this approach is that crooks will need to beg, steal or borrow more than just your password in order to masquerade as you, thus providing you with modest insurance against a poorly-chosen or stolen password.
? I'm not a big fan of auxiliary security questions, sometimes called knowledge-based authentication, because I don't accept that you can make a guessable password strong by augmenting it with yet more guessable answers to questions you've chosen on your users' behalf. Worse still, users can't change the answers to absolute security questions like "what was your first car", which also naively presumes that everyone in the world has not only owned a car but also managed to keep its make a secret from everyone else, even their friends.
Now, Apple has gone an extra mile, making 2FA available, at least to some of its users. (At the moment, you have to be in the US, the UK, Australia, Ireland, or New Zealand.)
Actually, Apple doesn't call it 2FA, preferring instead the term two-step verification.
It works by sending an SMS to one of a number of mobile devices you have registered with Apple; the message contains a one-time passcode that you need in addition to your regular password:
By avoiding the name 2FA, Apple is actually making a slightly weaker, but more honest, security assertion.
That's because there is nothing to stop you getting Apple to send your SMS verification codes to the same device on which you actually use your Apple ID.
Indeed, I suspect that many users will use two-step verification this way, and it isn't really two factor authentication if the same factor - your iPhone, for instance - is used for both steps of the process.
That's because someone who controls your iPhone to the point that they can acquire your password can, probably with not much more complexity, acquire in real time the contents of SMSes sent to your iPhone.
Nevertheless, Apple's new security feature does the right thing: it introduces single-use, random passwords to the Apple ID login process.
Another neat thing Apple has done, even though it sounds at first blush like a user-unfriendly move, is to cut its own support staff entirely out of the password reset loop for anyone who enables two-step verification:
In addition, with two-step verification turned on, only you can reset your password, manage your trusted devices, or create a new recovery key.
Apple Support can help you with other aspects of your service, but they will not be able to update or recover these three things on your behalf.<
Yes, that puts all of the password recovery burden on your shoulders.
But it also provides a strong assurance against getting Honanised, because "can't" is a much stronger security situation that "shouldn't".
If Apple's staff cannot recover or reset your password, then even the Mitnickest social engineer in the world won't be able to talk them round.
So take Apple's advice, write down the 14-character emergency recovery key created when you enable two-step verification, and lock it away somewhere at home.
Follow @duckblog
PS. Don't succumb to temptation. Take Apple's own advice that you "should not store your Recovery Key on your device or computer since that could give an unauthorized user instant access to it."
The US's national vulnerability database has been offline for days thanks to a multi-server infection by severely ironic malware. 
At any rate, beyond the Microsoft vs. open-source debate, the hack of a database that catalogs vulnerabilities is little short of "pure evil", to borrow Halavakoski's summation. 
Brian Krebs
Red Nose Day is a UK-wide fundraising event organised by the Comic Relief charity every two years which culminates in a night of comedy and moving documentary films on BBC One Television.
You can upgrade in three ways:
Safari gets bumped up to version 6.0.3, just in case you hadn't already fetched that as a standalone update.
A high-rolling gambler has allegedly won $32 million at a casino in Melbourne, Australia, thanks to a little network hackery carried out by accomplices.
To increase their chance of catching cheaters (and thereby, no doubt, to discourage gamblers from trying to cheat in the first place), casinos typically have substantial networks of cameras giving high-quality, real-time video feeds.
A Reuters journalist has been indicted by a US federal grand jury for allegedly handing over the login credentials of his former employer, Los Angeles Times parent company Tribune Co., to people claiming allegiance to the hacker movement Anonymous. 
Buzzfeed checked in with a Reuters employee who said that yes, if Keys is found guilty of divulging login credentials while at Reuters, he will have violated the company's Trust Principles, which is grounds for immediate dismissal. 
Earlier this week, Naked Security writer Lisa Vaas wrote an opinion piece about Google Glass privacy concerns.
Cryptographers have once again put SSL/TLS (that's the padlock in HTTPS) in their gunsights and opened fire.
Indeed, according to the authors of of this latest research, RC4 is the cipher chosen for about half of all TLS traffic.
A particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.
PWN2OWN 2013 is over.
Today's Google Doodle celebrates what would have been the 61st birthday of Douglas Adams, the British satirical author who gave the world The Hitchhiker's Guide to the Galaxy.
The Android in the Guide series is Marvin the Paranoid Android, a robot with a "brain the size of a planet" who is perpetually bored and depressed due to his untapped intelligence. 
Any damage done to LinkedIn users over the massive June 2012 data breach was abstract, not actual, a US judge has ruled.
One of those two security updates, bulletin MS13-011, addresses a Windows vulnerability that would allow remote code execution via a boobytrapped media file, such as an .mpg; an Office document, such as a .ppt file containing a rigged and embedded media file; or maliciously crafted streaming content. 
As a technically minded individual I fall into the same trap as many others. I obsess over implementation and every tiny detail when designing something, often everything but how users will interact with my creation.
Security isn't always about buffer overflows, zero-days and the red menace "stealing ur corprate secretz".